Learn more

Meet Our New CEO

“Our potential lies not only in our diversity, but in the power of our community to act as one in service of our mission. Together, our stories of an Internet with people at its heart offer a unifying message for all the world."

Issue Paper: Asia-Pacific Bureau – Online Privacy

Building on the online privacy framework and concepts presented in the Internet Society Policy Brief on Privacy,[1] this issues paper focuses on online privacy concerns and good practices in the Asia-Pacific region. Please refer to the policy brief for an introduction to the topic.

The Issues

Online privacy is a serious concern across all social, economic and cultural contexts, according to various surveys and studies.[2]

In a survey commissioned by Big Brother Watch, over 80% of the respondents across Australia, India, Japan and the Republic of Korea are concerned about online privacy (Figure 1).

In another survey supported by the World Economic Forum, between 40% and 70% of the respondents from different countries (with an average of 58%), value online privacy irrespective of the level of Internet diffusion. In Asia, the survey was conducted in Australia, New Zealand, China and India (Figure 2).

Figure 1. Level of concern about online privacy

Figure 2. Support for online privacy according to Internet diffusion

In the latest annual survey of the Internet Society on policy issues in the Asia-Pacific,[3] cybersecurity and privacy replace e-commerce and cloud computing in the top five most monitored policy areas. The survey also reveals that 59% of the respondents believe that their privacy is not sufficiently protected when they use the Internet.

These surveys show that there is a global culture developing in which Internet users worldwide share similar attitudes and values related to online privacy. The survey supported by the World Economic Forum also finds that when it comes to core Internet values, users generally want it all. They desire an online environment where they can simultaneously express themselves freely, protect their personal data and privacy, trust the people and information they find, and feel secure.

But, the right to online privacy is often sidelined by claims for security and surveillance, transparency and right to information, and socio-economic progress.

Security and surveillance

Many countries are using the need to increase public safety and security as a way to justify policies that authorize invisible automated surveillance and violate privacy rights.

Encryption is an important technical element of the solution to online security and privacy. But for the purpose of law enforcement and national security, some governments are controlling the use or effectiveness of encryption by gaining access to the means of decryption or decrypted information.

For example, China’s Anti-Terrorism Law that came into effect on 1 January 2016 requires telecoms and Internet service providers to provide decryption and other technical support to authorities that are investigating terrorist activities.[4]

After terrorism-related incidents, India began implementing the Central Monitoring System to intercept and monitor phone and Internet services in real time.[5]

Transparency and right to information

As corruption is prevalent in many Asia-Pacific countries, it is a positive sign when governments promote transparency and openness. The governments of Indonesia and the Philippines are two of the eight founding members of the Open Government Partnership that aims to promote transparency, empower citizens, fight corruption, and harness new technologies to strengthen governance.[6] But unfortunately in this environment, efforts to focus on privacy are linked with secrecy and undermining transparency.

For instance, Indonesia’s amendment to the 2008 Electronic Information and Transactions Law in October 2016, included a “right to be forgotten” clause (the first in Asia-Pacific). The law allows citizens to request a court order to have information that compromises their privacy or unjustly damages to their reputation removed from the Internet. But critics fear that the law could be misused by those in power as a censorship tool and to set back press freedom, which will affect the public’s right to information.[7]

Social and economic progress

The Sustainable Development Goal 16.9 aims to provide legal identity for all, including birth registration by 2030. National identification systems are being implemented throughout the Asia-Pacific region, and are increasingly linked to delivering public services and ensuring financial inclusion.

Many of these national identification systems are being updated to incorporate electronic and biometric elements as means of authentication for access to financial and social services (e.g., to fulfil requirements for opening bank accounts, and to benefit from government assistance programmes such as cash transfers, relief and welfare).

India’s Aadhaar is the world’s largest biometrics identity programme. The key privacy concerns related to this programme (and other national identity programmes that use biometrics) include the following:[9]

Registration is being outsourced to a massive group of private and public registrars and operators, increasing the chance of data breaches.

Once a person’s biometrics have been compromised, they cannot be reissued like passwords or signatures.

There are no privacy and data protection laws in place, and no independent privacy regulator.

Although the programme is voluntary, the need for an Aadhaar number for key services like attending school, getting married, buying cooking gas means that those without a number are excluded from these services.

Individuals categorized as poor, transgender and disabled in the system risk being discriminated against.

Databases previously in silos are now being interlinked. This means if there is a breach, more data is at risk and it makes datasets a more attractive target. At the same time, it can also enable pervasive surveillance systems, which could lead to categorization of individuals, discrimination, exclusion, unjust treatment and unequal opportunities.

In a survey commissioned by Privacy International, respondents from Hong Kong, Malaysia and the Philippines were interviewed. Results showed that:[10]

Today, large databases of data about us exist in the form of open data and big data. Increasingly, we are not being informed about the monitoring we are placed under, and are not equipped with the capabilities or given the opportunity to question these activities.

Open Data

As part of the open government movement, governments are opening up their previously locked datasets on population, public budgets, education, health, housing, trade, etc. Open data is linked with stimulating research and development, and driving innovation through the use and re-use of data to address development problems. These datasets, however, may include individual records that threaten individual privacy if released openly.

One of the most significant risks is the re-identification of de-identified data. For example, Australia’s Department of Health released over a billion lines of de-identified personal health data in 2016 but withdrew it shortly afterwards because Melbourne University researchers re- identified it[11]. In response, the Australian Privacy Act has been amended to make it a criminal offence to re-identify individuals from anonymized government datasets,[12] but in other countries of Asia-Pacific, re-identification is not a criminal offence.

Big Data

Corporations are collecting and using all forms of data—every online search made, webpage visited, e-mail or message sent, product or service purchased, leaves hundreds of thousands of electronic tracks about an individual. Tools are available to aggregate these electronic tracks to form individuals’ profiles. A research shows that the automated analysis of “likes” on Facebook alone can accurately predict in over 80% of cases, individuals’ sexual orientation, ethnicity, and religious and political views; and in over 65% of cases use of addictive substances.[13] Big data has become a profitable commodity, as evident in targeted advertising, a multi-billion dollar business. Big data is also used for mass surveillance.

The social credit system collects information on all citizens from mobile phones, social media, e-commerce sites and various other sources, including government records, to rate not only individuals’ financial creditworthiness but also personal conduct. Those with high ratings are rewarded with access to loans, scholarships, jobs and various benefits like faster services at government offices, while those with low ratings risk being denied access to these services. The system is being piloted in various cities and expects to be rolled out nationwide by 2020.

At the same time, big data can offer insights to determine side-effects of drugs, optimize energy use, improve traffic control, and tackle other development issues. Mobile phone records have been used to track dengue fever, malaria and Ebola, for instance.

Lack of Awareness

Nevertheless, many individuals are unaware that they are being tracked. Do you agree to the terms of agreement on online sites without reading or understanding them?

A study analyzed the standard terms of agreement of popular online sites, highlighting terms that have an impact on users’ privacy rights.[15]

The problem with raising awareness about privacy issues is the difficulty of visualizing privacy harms, especially online. Users feel little sense of violation about their e-commerce transactions being tracked to profile them, or their e-mail messages being read.

But fundamentally, privacy is about promoting equality, about the ability to assert our rights in the face of significant power imbalances. Already, big data is being used by corporations to offer differential prices to consumers. It can also be used by those in the position of power to discriminate against specific groups, leading to denied access to services and employment, and harassment and violence.

The threats that women and men face online are different, and because of power imbalances, women are generally more vulnerable to cybercrimes, online surveillance and their impacts. For example, men are less likely to be threatened with death or rape for their oppositional or challenging views.[16] Tackling online privacy therefore needs to be gender sensitive.

The Opportunities

Global and regional efforts are bringing online privacy issues to the fore.

Laws are important in setting the standards that other countries and regions copy. For example, the European Union (EU) Data Protection Directive that prohibits the export of data to countries lacking similar protections, compels any country wishing to do business with the EU to pass comparable legislation. Japan, the Republic of Korea, the Philippines and other countries in the Asia-Pacific have recently passed or amended privacy laws to meet EU privacy standards.[17]

In the Asia-Pacific region, the Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) system sets the standard for cross-border privacy protection. Japan is the first country in Asia to join the CBPR system. Other countries that have joined this system include Canada, Mexico and the United States. A recent survey indicates that the Philippines, Republic of Korea and Singapore “plan to join”, and Australia, Hong Kong, Taiwan and Viet Nam are “considering” joining the CBPR system.[18] On an individual company level, those that have been through the CBPR certification process include large corporations like Apple, HP, IBM and erck.

In a survey by Telenor Group on Asia’s entrepreneurs, results show that more than a third of the respondents believe that cybersecurity and data privacy is their number one priority, and keeping their customers’ data safe and secure is the biggest challenge facing Asian startups.[19]

Privacy commissioners are building online trust through engagement with multiple stakeholders.

Privacy commissioners generally provide independent oversight and enforcement of privacy laws, as well as raise awareness of online privacy issues. Members of the Asia Pacific Privacy Authorities include privacy commissioners from Australia, Hong Kong, Japan, Republic of Korea, Macao, New Zealand, the Philippines and Singapore.

For example, the Hong Kong Privacy Commissioner for Personal Data (PCPD) is very active in responding to public enquiries and complaints about privacy, taking action on breach incidents, and raising awareness through engagements with government organizations, business professionals from different sectors, media agencies, students and the elderly. The PCPD has been promoting the implementation of the Privacy Management Programme in organizations. The programme aims to incorporate personal data privacy protection as part of organizations’ governance responsibilities.[20]

This is part of the trend to shift the onus of privacy protection to public and private organizations, as user consent alone in this increasingly complex digital environment place an undue burden on the user, most of whom do not have the ability to full understand the risks and ramifications.[21]

Alignment with the SDGs

The SDGs does not explicitly address online privacy issues, but it does reaffirm the importance of the Universal Declaration of Human Rights, as well as other international instruments relating to human rights and international law, which includes the right to privacy.

The United Nations Statistical Commission created a Global Working Group on Big Data for Official Statistics to investigate the benefits and challenges of big data, including the potential for monitoring and reporting on the SDGs. Privacy is recognized as one of the key issues.[22]

Questions to Think About

What are the good practices (in law, governance and technology) for promoting innovation through the use of open data and big data, and at the same time ensure that privacy rights are protected?

How can countries that have just started building its digital economy accelerate efforts towards addressing the lack of adequate national legislation and enforcement to protect individuals’ privacy rights?

How can countries address: (1) insufficient procedures for the use of surveillance; (2) practically no oversight of organizations that are accumulating more and more data of individuals; and (3) lack of remedies for violations of privacy?

What are the privacy implications of new and emerging technologies, such as the Internet of Things and Artificial Intelligence, and how can they be proactively managed (rather than merely reacting to their effects)?

Related articles

The Internet Society Survey on Policy Issues in Asia-Pacific 2018

This year’s survey focuses on the security and privacy of the Internet of Things (IoT)—the rapidly expanding network of devices, physical objects, services and applications that communicate over the Internet.

We care about your privacy and strive to limit our use of cookies to those that help improve our site and keep it relevant. By continuing to use this site, you agree to the use of cookies. To learn more about how you can control use of cookies
see our Cookie Policy